Stephen Haberman wrote:
Stephen is right. It does not make sense for a web application security to be strictly JAAS. The purpose of this solution is to make it so developers can use whatever framework they desire. JAAS has a narrow spectrum. Just because it has the words "Java" and "Security" and is made by Sun, does not mean it needs to be the basis of every application :).On Fri, Jan 10, 2003 at 05:28:48PM +1100, Paul Smith wrote:I think your design of the security framework is first rate. What I am not sure about, and as I said before it probably related to my lack of clear understanding of JAAS, is that your framework (can) effectively "wrap" JAAS. If Sun is pushing JAAS as their "security" architecture, wouldn't it be better for your framework to effectively _BE_ the JAAS implementation. That way Turbine could be seen to be JAAS compatible (always nice to promote standards), and your framework is the actual guts of it.Unless Dan or someone more intimate with JAAS corrects me, I really don't see how JAAS fits into the Turbine picture. From the tidbits I picked up on the Sun site, JAAS is authentication/authorization framework for the likes of rlogin/SSH/telnet/Kerebos/etc. For users logging into boxes to get terminals/files/etc. Not for applications doing tens/hundreds/thousands of authentications/authorizations per second as users hit a web application or similar service. Unless that is what Dan envisions his framework being; e.g. a Fulcrum/Turbine interface that interacts with enterprise systems and the like. But I was fairly sure it was offered as a replacement for the current security framework for merely checking against a JDBC/XML source whether a user has access to X or Y. I looked at Dan's framework for about as long as I looked at the JAAS stuff, so I could be wrong. And not long enough to make a good judgement call on the quality of Dan's framework, other than I really appreciate the effort as the current solution works well, but could be a better. - Stephen
I will try and write up more of the framework in the next two nights and post it. Hopefully this will give people a better idea of how it will work. I'd like to start the Turbine integration - which should be pretty simple. Once it is integrated into Turbine, people can just right the own ResourceAccessControllers for the web page resource type. So, this we'll have a go at it with this framework? I would still like to hear from of the more longtime developers on the Turbine framework and their thoughts. Everyone has a lot of vested interest in this project, but I'll volunteer to come up with a working implementation of this framework.
- Dan
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
